Skip to content

Runasusername windows#73609

Closed
jsturtevant wants to merge 6 commits intokubernetes:masterfrom
jsturtevant:runasusername-windows
Closed

Runasusername windows#73609
jsturtevant wants to merge 6 commits intokubernetes:masterfrom
jsturtevant:runasusername-windows

Conversation

@jsturtevant
Copy link
Copy Markdown
Contributor

@jsturtevant jsturtevant commented Jan 31, 2019

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change

/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This adds windows configuration and wires up username in the podspec to the runtime interface.

#64009 added run_as_username to the container runtime interface, but did not hook it up in the Kubernetes v1.Container.SecurityContext.runAsUser field.

Which issue(s) this PR fixes:

Fixes #
#73387

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Add v1.Container.SecurityContext.Windows.runAsUserName to the pod spec

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 31, 2019
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Jan 31, 2019

Hi @jsturtevant. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 31, 2019
@k8s-ci-robot k8s-ci-robot added area/kubelet sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 31, 2019
@k8s-ci-robot k8s-ci-robot added the sig/apps Categorizes an issue or PR as relevant to SIG Apps. label Feb 1, 2019
@PatrickLang PatrickLang mentioned this pull request Feb 1, 2019
Closed
@michmike
Copy link
Copy Markdown
Contributor

michmike commented Feb 4, 2019

@liggitt should take a look at this as well. LGTM
/assign @liggitt

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 4, 2019

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jsturtevant
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: liggitt

If they are not already assigned, you can assign the PR to them by writing /assign @liggitt in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jsturtevant
Copy link
Copy Markdown
Contributor Author

jsturtevant commented Feb 5, 2019

There is more discussion happening for this feature at kubernetes/enhancements#799. The consensus from the sig-windows meeting this morning was to push this feature out to 1.15 and go through the KEP process. Putting this issue on hold until that is submitted and approved.

/hold

The commits here are a working prototype and I was able to verify using these yaml files. A sample yaml file as it is currently prototyped would have a security context that looks like:

    spec:
      containers:
      - name: sc-customuser
        image: stefanscherer/whoami:windows-amd64-1.8.2-1809 
        securityContext:
          windowsOptions:
            runAsUserName: ContainerUser

You can validate by exec into the container and running:

kubectl exec -it sc-customuser-6799b77b6d-sfckq cmd
Microsoft Windows [Version 10.0.17763.253]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>echo %username%
ContainerUser

cc: @PatrickLang @michmike

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 5, 2019
@jsturtevant jsturtevant changed the title [wip] - Runasusername windows Runasusername windows Feb 5, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 5, 2019
@PatrickLang
Copy link
Copy Markdown
Contributor

PatrickLang commented Feb 7, 2019

/sig windows

@k8s-ci-robot k8s-ci-robot added the sig/windows Categorizes an issue or PR as relevant to SIG Windows. label Feb 7, 2019
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Feb 9, 2019

@jsturtevant: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 9, 2019
@PatrickLang PatrickLang mentioned this pull request Apr 12, 2019
Closed
4 tasks
@liggitt
Copy link
Copy Markdown
Member

liggitt commented Apr 17, 2019

@PatrickLang are this and #75459 being combined? wanted to make sure I was looking at the right PRs and that they were ready for review

@PatrickLang
Copy link
Copy Markdown
Contributor

PatrickLang commented Apr 17, 2019
edited
Loading

we're combining these at least into 1 KEP to cover the full WindowsSecurityContext API addition. I'm not 100% yet whether it will be 2 PRs or 1.

@ddebroy
Copy link
Copy Markdown
Contributor

ddebroy commented Apr 18, 2019

Combined KEP for GMSA + RunAsUsername fields: kubernetes/enhancements#972

@PatrickLang PatrickLang mentioned this pull request Apr 18, 2019
Merged
wk8 added a commit to wk8/kubernetes that referenced this pull request Apr 26, 2019
@wk8
Adding a new WindowsSecurityOptions struct
d7aa318 
As outlined in the KEP at
https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md
and improvements on it at
kubernetes/enhancements#975

For now this struct is left empty, as discussed in the KEP (see above) and as
previously discussed with Jordan Liggitt.

It will allow adding GMSA and options as well as `RunAsUserName` options; both of which have already been pre-implemented respectively at
kubernetes#75459
and kubernetes#73609; and both of which
will need to be re-based to make use of the new struct.

Signed-off-by: Jean Rouge <rougej+github@gmail.com>
@wk8 wk8 mentioned this pull request Apr 26, 2019
Merged
k8s-publishing-bot pushed a commit to kubernetes/api that referenced this pull request May 3, 2019
@wk8 @k8s-publishing-bot
Adding a new WindowsSecurityOptions struct
974df05 
As outlined in the KEP at
https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md
and improvements on it at
kubernetes/enhancements#975

For now this struct is left empty, as discussed in the KEP (see above) and as
previously discussed with Jordan Liggitt.

It will allow adding GMSA and options as well as `RunAsUserName` options; both of which have already been pre-implemented respectively at
kubernetes/kubernetes#75459
and kubernetes/kubernetes#73609; and both of which
will need to be re-based to make use of the new struct.

Signed-off-by: Jean Rouge <rougej+github@gmail.com>

Kubernetes-commit: d7aa31858e1734861131d2e8d67f94c766f9b577
@PatrickLang PatrickLang mentioned this pull request May 3, 2019
Closed
4 tasks
@liggitt
Copy link
Copy Markdown
Member

liggitt commented May 20, 2019

@ddebroy @PatrickLang

wanted to check in on this... do we want #75459 to land before starting review on this, or is this ready to do in parallel?

@ddebroy
Copy link
Copy Markdown
Contributor

ddebroy commented May 20, 2019
edited
Loading

@liggitt @PatrickLang @jsturtevant I think we can review this in parallel and rebase with #75459 if needed. It will be great if @jsturtevant can rebase this on #77147 first since that has been merged.

@liggitt
Copy link
Copy Markdown
Member

liggitt commented May 21, 2019

It will be great if @jsturtevant can rebase this on #77147 first since that has been merged.

agreed. can you do that first?

@ddebroy
Copy link
Copy Markdown
Contributor

ddebroy commented May 21, 2019

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 21, 2019
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 21, 2019

@jsturtevant: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-node-e2e ed42773 link /test pull-kubernetes-node-e2e
pull-kubernetes-kubemark-e2e-gce-big ed42773 link /test pull-kubernetes-kubemark-e2e-gce-big
pull-kubernetes-bazel-build ed42773 link /test pull-kubernetes-bazel-build
pull-kubernetes-bazel-test ed42773 link /test pull-kubernetes-bazel-test
pull-kubernetes-dependencies ed42773 link /test pull-kubernetes-dependencies
pull-kubernetes-integration ed42773 link /test pull-kubernetes-integration
pull-kubernetes-e2e-gce ed42773 link /test pull-kubernetes-e2e-gce
pull-kubernetes-e2e-gce-100-performance ed42773 link /test pull-kubernetes-e2e-gce-100-performance
pull-kubernetes-typecheck ed42773 link /test pull-kubernetes-typecheck
pull-kubernetes-verify ed42773 link /test pull-kubernetes-verify
pull-kubernetes-e2e-gce-device-plugin-gpu ed42773 link /test pull-kubernetes-e2e-gce-device-plugin-gpu

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ddebroy
Copy link
Copy Markdown
Contributor

ddebroy commented May 21, 2019
edited
Loading

A couple of things that need to be added from a API review perspective:

  1. We agreed on minimal length validation for the field. Please add the corresponding check (+ unit test) in validateWindowsSecurityContextOptions in pkg/apis/core/validation/validation.go

  2. I think we need a feature flag associated with RunAsUsername along with a corresponding entry in dropDisabledFields (+ unit tests) to prevent users from setting the field if not explicitly enabled.

@liggitt liggitt added this to the v1.15 milestone May 28, 2019
@ddebroy
Copy link
Copy Markdown
Contributor

ddebroy commented May 28, 2019

Update on this PR: it will be postponed to v1.16 based on an update from Patrick.

@liggitt liggitt modified the milestones: v1.15, v1.16 May 29, 2019
@PatrickLang
Copy link
Copy Markdown
Contributor

PatrickLang commented Jun 25, 2019
edited
Loading

This was discussed in an API review with @liggitt , and we have the recommended final name in https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20190418-windows-security-context.md

Here's an example

apiVersion: v1
kind: Pod
metadata:
  name: iis
  labels:
    name: iis
spec:
  securityContext:
    windowsOptions:
      gmsaCredentialSpecName: webapp1-credspec
      runAsUserName: "NT AUTHORITY\\NETWORK SERVICE"
  containers:
    - name: iis
      image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
      ports:
        - containerPort: 80
    - name: logger
      image: eventlogger:2019
      ports:
        - containerPort: 80
  nodeSelector:
    beta.kubernetes.io/os : windows

cc @BCLAU

@claudiubelu claudiubelu mentioned this pull request Jun 27, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@lavalamp lavalamp Awaiting requested review from lavalamp

Assignees

@liggitt liggitt

Labels

area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/windows Categorizes an issue or PR as relevant to SIG Windows.

Projects

API Reviews
Archived in project

Milestone

v1.16

Development

Successfully merging this pull request may close these issues.

6 participants

@jsturtevant @k8s-ci-robot @michmike @PatrickLang @liggitt @ddebroy